Record login with an external client

Before you begin

When you use an external client to send requests to the application, a Starting URL is not needed, but ADAC will define a Starting URL for itself after the Explore stage is complete.
Note: If your application uses man-in-the-middle protection, it is not possible to scan it with ADAC as proxy.

About this task

Recording a Login with an external browser lets you teach ADAC which request or requests to send so it can log in during the scan. When you have logged in, AppScan identifies an in-session pattern that it can use in future to verify that it is still logged in.

AppScan must know at all times whether it is logged into or out of the site, so it can evaluate the site's responses correctly. During the scan, AppScan sends the In-Session Detection Request repeatedly, and checks that the response contains the In-Session Detection Pattern, to verify that it is still logged in. If AppScan does not find the pattern in the page's response, AppScan assumes it has been logged out, and attempts to log in again by replaying the login sequence. It follows that the login sequence is typically played many times during a scan. It is therefore best that it contains as few steps as possible. It is also helpful if the In-Session page is a small page, and does not contain tracked parameters or cookies, since these can also increase scan time significantly.

To record the login:


  1. In Login Management > Login tab, select the Recorded radio button.
  2. Click the red Record button > External client > and then select the client you will use to log in.
    Postman ADAC will open and automatically configure Postman to work with ADAC as recording proxy (IP and port). ADAC will then open its traffic recorder to record the requests you send from Postman.
    SoapUI ADAC will open and automatically configure SoapUI to work with ADAC as recording proxy (IP and port). ADAC will then open its traffic recorder to record the requests you send from SoapUI.
    Note: The configuration change affects any other instances that are open during the session. Therefore it is recommended that you close any open instances before you start, and do not open any while you record. When you close ADAC, SoapUI is also closed, and the settings changed back to what they were before.
    For SSL, see SSL with SoapUI.
    Other Select this option if the client you want to use is installed on a different machine, or if you are using a client other than Postman or SoapUI on the same machine as ADAC. You will be asked to open and configure your client manually, to use ADAC as proxy.

    For SSL, see SSL with other external client.

    ADAC External Login Recorder opens, recording requests you send to your web service from the client. For details, see External Login Recorder

    If you seleted Postman or SoapUI, it also opens, and is configured to use ADAC as recording proxy.
    Note: ADAC can automatically configure Postman or SoapUI only if installed on the same machine as AppScan, otherwise you must select Other, and configure the client yourself in the next step.
    Note: If using SSL, you must also follow these steps: SSL with SoapUI.
  3. If you selected External client > Other, open your client and configure it to use the port and IP shown at the top of the traffic recorder. If the client is on the same machine as ADAC, use the "Local IP" shown, otherwise use the "Remote IP".
    Note: If using SSL, you must also follow these steps: SSL with other external client
  4. From your client, send whatever requests are needed to log in to the site as a valid user. When you are logged in, send an additional request that could be sent only by a logged-in user.
    • Sending the additional request after you are logged in is essential in the case of web services, for ADAC to be able to identify an in-session pattern.
    • Verify that the traffic you sent is shown in the login recorder. If it is not, refer to Traffic recorder troubleshooting.
  5. In the login recorder, click Stop recording, then click Save to close.

    AppScan® extracts the login information from your login request, for use during scanning.

    The Session Information dialog box opens displaying the login requests you recorded, and the gray key icon changes to the green key icon, indicating that in-session detection is active.
    Note: If the key icon turns red the red key icon, AppScan® attempted but was unable to identify any pattern in the in-session page that it can use during scanning to verify that it has not been logged out. If this happens, you need to identify the "in-session pattern" for AppScan®, see Select Detection Pattern dialog box for details. In some cases a more specific message may appear, with a link to a page in this Help for troubleshooting the problem, see Login troubleshooting.
  6. To make changes to the recorded sequence (for example to remove unnecessary steps), refer to Review & Validate tab.
    Tip: Generally speaking the URL which logs the user in (and whose response is the first to include an in-session pattern), should be the one marked In-Session. However, sometimes you may want to select a later URL, that also includes the in-session pattern, but which has the advantage of being a smaller page or of not including tracked parameters or cookies. Additionally, sometimes the POST request with the user credentials is the request which logs you in and first contains the in-session pattern, this is a poor choice for the in-session page, since the in-session check would send the credentials each time, leading to a false positive in session response. See Optimizing In-Session Detection
  7. To save the new login sequence, click OK.
    Tip: If you are sure that the in-session page contains no tracked parameters or cookies, you can improve scan performance by changing the Advanced Configuration > Session Managment: Parse in-session page setting to "False". See Advanced Configuration.

What to do next

Related topics:

Traffic recorder troubleshooting

SSL with SoapUI

Multi-Step Operations